From e94c02e53345f418cf51b44bc7bc64858dbf399b Mon Sep 17 00:00:00 2001 From: LaylaLiu-gmail <38268900+LaylaLiu-gmail@users.noreply.github.com> Date: Tue, 28 Feb 2023 11:37:16 +0800 Subject: [PATCH] Temp fix for service ca cert --- Kudu.Core/Kube/KubernetesClientUtil.cs | 42 ++++++++++++++++++++++++-- 1 file changed, 40 insertions(+), 2 deletions(-) diff --git a/Kudu.Core/Kube/KubernetesClientUtil.cs b/Kudu.Core/Kube/KubernetesClientUtil.cs index 4eb5614b..26d58a1e 100644 --- a/Kudu.Core/Kube/KubernetesClientUtil.cs +++ b/Kudu.Core/Kube/KubernetesClientUtil.cs @@ -1,4 +1,6 @@ using System; +using System.Diagnostics; +using System.IO; using System.Net.Http; using System.Net.Security; using System.Security.Cryptography.X509Certificates; @@ -11,6 +13,7 @@ public class KubernetesClientUtil public const int ClientRetryCount = 3; public const int ClientRetryIntervalInSeconds = 5; private const string caPath = "/var/run/secrets/kubernetes.io/serviceaccount/ca.crt"; + private const string serviceCAPath = "/var/run/secrets/kubernetes.io/serviceaccount/service-ca.crt"; public static void ExecuteWithRetry(Action action) { @@ -27,6 +30,7 @@ public static bool ServerCertificateValidationCallback( X509Chain certChain, SslPolicyErrors sslPolicyErrors) { + Console.WriteLine($"sslPolicyErrors: {sslPolicyErrors}"); if (sslPolicyErrors == SslPolicyErrors.None) { // certificate is already valid @@ -36,6 +40,7 @@ public static bool ServerCertificateValidationCallback( { // only remaining error state is RemoteCertificateChainErrors // check custom CA + bool caresult = true; var privateChain = new X509Chain(); privateChain.ChainPolicy.RevocationMode = X509RevocationMode.NoCheck; @@ -52,11 +57,44 @@ public static bool ServerCertificateValidationCallback( // root CA cert is not always trusted. chainStatus.Status != X509ChainStatusFlags.UntrustedRoot) { - return false; + Console.WriteLine($"ca crt: {chainStatus.Status}"); + caresult = false; + break; } } - return true; + if (caresult) + { + return true; + } + + if (File.Exists(serviceCAPath)) + { + var serviceCAprivateChain = new X509Chain(); + serviceCAprivateChain.ChainPolicy.RevocationMode = X509RevocationMode.NoCheck; + + var serviceCA = new X509Certificate2(serviceCAPath); + // https://docs.microsoft.com/en-us/dotnet/api/system.security.cryptography.x509certificates.x509chainpolicy?view=netcore-2.2 + // Add CA cert to the chain store to include it in the chain check. + serviceCAprivateChain.ChainPolicy.ExtraStore.Add(serviceCA); + // Build the chain for `certificate` which should be the self-signed kubernetes api-server cert. + serviceCAprivateChain.Build(certificate); + + foreach (X509ChainStatus chainStatus in privateChain.ChainStatus) + { + if (chainStatus.Status != X509ChainStatusFlags.NoError && + // root CA cert is not always trusted. + chainStatus.Status != X509ChainStatusFlags.UntrustedRoot) + { + Console.WriteLine($"service crt: {chainStatus.Status}"); + return false; + } + } + + return true; + } + + return false; } else {